Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNc81-008YmT-1a for pgsql-general@arkaria.postgresql.org; Mon, 24 Nov 2025 19:21:37 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vNc7z-003Rag-03 for pgsql-general@arkaria.postgresql.org; Mon, 24 Nov 2025 19:21:35 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNc7y-003RaX-25 for pgsql-general@lists.postgresql.org; Mon, 24 Nov 2025 19:21:34 +0000 Received: from fout-b5-smtp.messagingengine.com ([202.12.124.148]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNc7w-001HXg-2F for pgsql-general@lists.postgresql.org; Mon, 24 Nov 2025 19:21:34 +0000 Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfout.stl.internal (Postfix) with ESMTP id D020D1D00117; Mon, 24 Nov 2025 14:21:25 -0500 (EST) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-03.internal (MEProxy); Mon, 24 Nov 2025 14:21:25 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kurilemu.de; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :reply-to:subject:subject:to:to; s=fm2; t=1764012085; x= 1764098485; bh=A6AwXWNQ3HHSJvX2cvpirgTVIW+x5uEa9JoyKYrwfOo=; b=Y oz6xw9bo22DzKpgsLRYUlchEY+BozS97rcgWaZCFCFAXWPNDbG0YwiWkd/uwPWtW g8W95W4cWelm4GqCQLjkPzB41zdikuwAqI3FPbkNv34fPetPc92cjGTsBQhuZKkn Ai9SFbs/FcZW4rc0rcsh0yzTLpUG43sGcjFrFmJ9K2l+eB2aoPHadGoK4JoGJSx6 28zQm7n77cEzL/u8yEk/KzuzECtIW6j6ZYEyvz5zoRWWDN9c1O9K/gXmvVL3GCTo Znm17FpsL/zPCtvdmolYwxUFz5gRMuQJ6EuG6s/LCWbNwHDwrZKGyVXA4CRnTDqk zfwyvuBcui36+DMSSSU2A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; t=1764012085; x=1764098485; bh=A 6AwXWNQ3HHSJvX2cvpirgTVIW+x5uEa9JoyKYrwfOo=; b=oMvK4c3zEbMpU5vQy fAEtqd6v4m+NyaT6xmlvSGO6ID/GkZ0jnQEa1FqXkFvcd49t3hkK9VaY5wQemnjO E3dCHqUv4cbrhzpGqC0CK/sE2QDNzMUf9UQDXJ+0n4ZtpH6oeOOgM8O0cK2PHQji 07/2vHeuazOM0CXLf6qvF4kF2bG1lgOj9hJykzoaREhzT6Aax3845IDD6BvTRm+a pXXteLo2mLhNoMg1qbTe7XLVj5/D7/6a8+Oo/ghAJBEaCk3G4J9dfFUzqM3346Tr rftIHvMPEItAcbKbH2TIPeK7lV5P0PfO9RcEQDANU0CidFf2BH3ckHsen9grcKPl djKug== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdeggddvfeelgeefucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhepfffhvfevuffkgggtugfgjgesthekredttddtjeenucfhrhhomheplmhlvhgrrhho ucfjvghrrhgvrhgruceorghlvhhhvghrrhgvsehkuhhrihhlvghmuhdruggvqeenucggtf frrghtthgvrhhnpeetuedvheffkeevgfeuheevteevkefggedttdeufeeuheduuddthfef fffhjeefffenucffohhmrghinhepvghnthgvrhhprhhishgvuggsrdgtohhmnecuvehluh hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprghlvhhhvghrrhgv sehkuhhrihhlvghmuhdruggvpdhnsggprhgtphhtthhopeegpdhmohguvgepshhmthhpoh huthdprhgtphhtthhopehlrghurhgvnhiirdgrlhgsvgestgihsggvrhhtvggtrdgrthdp rhgtphhtthhopehnvgifohgrkhhllhgtvddtvdefsehgmhgrihhlrdgtohhmpdhrtghpth htohepphhgshhqlhdqghgvnhgvrhgrlheslhhishhtshdrphhoshhtghhrvghsqhhlrdho rhhgpdhrtghpthhtohepthhglhesshhsshdrphhghhdrphgrrdhush X-ME-Proxy: Feedback-ID: ie3de48e3:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 24 Nov 2025 14:21:24 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kurilemu.de; s=schmee; t=1764012083; bh=X9gsRz2Y1uX+4drDlvNmz2O7VTgvurGwl+iqCq/yXGg=; h=Date:From:To:Cc:Subject:In-Reply-To:From; b=b+n04zMF28v/FM3C08kfFd+ofviAqIeW0t/uV31IogjGAhDZV/fR9cJeg9PHHMK9E yxBp539A1xP/N2j3yxTYzsocjGb1MF4nodsMMjcsEwdRLr666H/QBvldwnAn0m5KSZ 2cOWXmC3205wQ/14IUiR8GOJ+FzM8zv901rHa4znSe86GegQHjfas3TWYDQJT/kZ9o E7WOdn4aIK1xQXNd2FhqjPMdB7XNwJwMlj71vcqK5cMRZkT8Se719o2sfbsK2ys4gI pMDK15z7O1ODGgJYUy5rpjF5QYaekeKGcC40M8plXHuQTBxEYf3gP0BWfecW8dn3et zgrjVloTSuIoA== Received: by schmee.kurilemu.internal (Postfix, from userid 1000) id 9DA5876; Mon, 24 Nov 2025 20:21:23 +0100 (CET) Date: Mon, 24 Nov 2025 20:21:23 +0100 From: =?utf-8?Q?=C3=81lvaro?= Herrera To: Tom Lane Cc: Laurenz Albe , Calvin Guo , pgsql-general@lists.postgresql.org Subject: Re: set role command Message-ID: <202511241909.nudhcfkcugfl@alvherre.pgsql> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <981855.1764009811@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 2025-Nov-24, Tom Lane wrote: > =?utf-8?Q?=C3=81lvaro?= Herrera writes: > > For what it's worth, I think we break the SQL standard's security model > > by providing RESET ROLE and RESET SESSION AUTHORIZATION, neither of > > which the standard has. > > I don't think so. They are just shorthand for issuing a SET to the > original value, so how do they break the model in a way that that > doesn't? No, because the new user doesn't have privs to become the previous one. > > This means that in the standard model you have > > commands to lower your privilege, but once you've lowered them, you > > cannot return (in the same connection) to what you had. > > The reason PG acts as it does is that we interpret "the permissions > required to do SET SESSION AUTHORIZATION" as "did your originally > authenticated ID have permission to do that SET?". I have the impression that that's broken, because for , the standard says that the current user identifier is set to the new user, which means the previous user identifier is lost. You don't retain rights to become that user again. > In practical terms, the one-way changes that Calvin wants are just not > that attractive. What people have actually asked for, particularly > connection-pooler authors, are a way to switch session authorization > in such a way that you can only go back with some additional secret > sauce, like a one-time password generated at the pooler level. Yeah, I think connection poolers would be better served by a different security model than what the standard offers. The pooler-generated one-time password, or something similar, seems somewhat appropriate given what we offer today. I'm not sure it's the best model either, because it requires that the connection is initially in a superuser-like state (so that it can become any other user). But that's somewhat dangerous, because if an attacker manages to steal the one-time password, they are database superuser and all is lost. It would be more secure to have a mechanism where the connection is initially unauthenticated altogether (which means: it's not a valid SQL session), becomes authenticated at the pooler's will, and returns to unauthenticated state as the pooler decides. Critically, from unauthenticated state you shouldn't be able to become superuser. (Also, last I looked at pgbouncer, it had to do some weird tricks to mimick the authentication on their side without involving the server, so it wanted to keep its own list of user/passwords or something like that. Maybe that's changed in the last few years though.) -- Álvaro Herrera 48°01'N 7°57'E — https://www.EnterpriseDB.com/ "Having your biases confirmed independently is how scientific progress is made, and hence made our great society what it is today" (Mary Gardiner)